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WHAT IS CLAIMED IS: 

1 1 . A method for the automatic distribution, review and revocation of user and group 

2 permissions to objects through management of role permissions to abstract objects in a 

3 computing environment comprises a role-based access control system that includes a directed 

4 acyclic graph representing role-membership inheritance relationships and a directed acyclic 

5 graph representing role-permission inheritance relationships, said method comprising: 

6 associating each role with the set of abstract objects accessible to the said role, said 

7 association requiring neither redundant storage and maintenance of permissions nor 

8 exhaustive system searches. 

9 2. The method of claim 1 , further comprising: 

-to defining and managing the abstract permissions of a role on abstract objects; and 

1 1 finding, retrieving, and displaying abstract permissions of a role on abstract objects; 

12 and 

■) 3 adding an abstract object to the set of abstract objects associated with a role 

1 4 whenever said abstract object becomes accessible to said role; and 

1 5 deleting an abstract object from the set of abstract objects associated with a role 
:i 6 whenever said abstract object becomes inaccessible to said role. 

.17 3. The method of claim 2, further comprising: 

1 8 creating, finding, retrieving, displaying, and deleting instances of a role on a host 

1 9 computer or set of host computers, using group nesting and a directed acyclic graph of role- 

20 membership inheritance; and 

21 creating finding, retrieving, displaying, and deleting object instances of abstract 

22 objects on a host computer or set of host computers; and 

23 registering objects as instances of abstract objects on a host computer or set of host 

24 computers; and 

25 deriving permissions of a role instance on object instances from the abstract 

26 permissions of said role on said abstract objects; and 

27 registering permissions on objects as instances of abstract permissions on abstract 

28 objects on a host computer or set of host computers; and 
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29 finding, retrieving, and displaying the permissions derived from abstract permissions 

30 defined on abstract objects. 

31 4. The method of claim 3, further comprising the steps of: 

32 creating an instance of a RBAC user on a set of host computers, said user instance 

33 being called global with respect to said set of host computers; and 

34 creating an instance of a RBAC user on a host computer, said user instance being 

35 called local with respect to said host computer, unless said host computer is used to control a 

36 set of host computers, in which case the instance is called global with respect to said set of 

37 host computers; and 

38 creating a role instance on a set of host computers, said role instance being called 

39 global with respect to said set of host computers; and 

r §o creating a role instance on a host computer, said role instance being called local with 

£1 respect to said host computer, unless said host computer is used to control a set of host 

%2 computers, in which case one can select whether the instance will be local with respect to 

said host computer, or global with respect to said set of host computers; and 
: 3U including a local user instance in a local role instance, if said user is assigned to said 

B 45 role, and both said instances were derived on the same host computer; and 
m6 including a global user instance in a local role instance, if said user is assigned to said 

■"'3-7 role, and said local role instance was derived on a host computer included in the set of host 

Qs computers used to derive said global user instance; and 

3 49 including the global user instance in a global role instance, if said user is assigned to 

50 said role, and both said instances were derived on the same set of host computers; and 

51 including the members of a local instance of a first role in a local instance of a second 

52 role, if the second role inherits the membership of the first role, and both said instances were 

53 derived on the same host computer; and 

54 including the global instance of a first role as a member of a local instance of a second 

55 role, if the second role inherits the membership of the first role, and said local instance was 

56 derived on a host computer included in the set of host computers used to derive said global 

57 instance; and 

58 including the members of a global instance of a first role in a global instance of a 

59 second role, if the second role inherits the membership of the first role, and both said 

60 instances were derived on the same set of host computers. 
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61 5 . The method of claim 3 , further comprising : 

62 computing, displaying, reviewing, and listing the permissions of any role to abstract 

63 objects; and 

64 computing, displaying, reviewing, and listing the permissions of any role to object 

65 instances; and 

66 computing, displaying, reviewing, and listing the permissions of any role instance to 

67 object instances. 

68 6. The method of claim 5, further comprising: 

69 determining whether two or more roles share permissions on any abstract objects; and 

70 determining whether two or more roles share permissions on any object instances; and 

71 determining whether two or more role instances share permissions on any object 
7.2 instances; and 

73 implementing and testing any policy that is satisfied by the determination of whether 

>4 two or more roles share permissions to abstract objects; and 

. 75 implementing and testing any policy that is satisfied by the determination of whether 

=76 two or more roles share permissions to object instances; and 

77 implementing and testing any policy that is satisfied by the determination of whether 

:78 two or more role instances share permissions to object instances. 

79 7. The method of claim 6, further comprising: 
: so implementing and testing generalized separation-of-duty policies; and 

81 implementing and testing operational separation-of-duty policies. 

82 8. The method of claim 3, further comprising: 

83 automatic distribution of permissions on object instances to role instances whenever 

84 new permission-inheritance relations are established among roles; and 

85 automatic distribution of permissions on object instances to role instances whenever 

86 new roles are added to the directed acyclic graph; and 

87 automatic distribution of permissions on object instances to role instances whenever a 

88 new role instance is created for a role on a host computer or set of host computers; and 

89 automatic distribution of permissions on object instances to role instances whenever a 

90 new object instance is created for an abstract object on a host computer or set of host 

91 computers; and 
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automatic distribution of permissions on object instances to role instances whenever a 
new permission is granted to a role. 

9 . The method of claim 3 , further comprising: 

automatic revocation and recalculation of permissions on object instances for role 
instances whenever permission-inheritance relations among roles are removed; and 

automatic revocation and recalculation of permissions on object instances for role 
instances whenever roles are removed; and 

automatic revocation and recalculation of permissions on object instances for roles 
instances whenever an abstract object is removed; and 

automatic revocation and recalculation of permissions on object instances for role 
instances whenever a permission is revoked from a role. 

10. The method of claim 3, further comprising: 

scaleable, automatic, distribution, revocation, and recalculation of permissions of role 
instances to object instances that support efficient access authorization. 

1 1 . The method of claim 1 0, further comprising: 

adding a new permission-inheritance arc to the directed acyclic graph between a first 
role called inheritor role and a second role called the inherited role whereby the inheritor and 
all its ascendant roles inherit all the permissions of the inherited role and its descendant roles 
in the directed acyclic graph; and 

automatically selecting the roles that do not have instances on a host computer or set 
of host computers from the set comprises the said inherited role and its descendants in the 
directed acyclic graph; and 

automatically computing a set of permissions by mapping the abstract permissions of 
said selected roles on all abstract objects that do have instances on said host computer or set 
of host computers; and 

automatically granting said computed permissions to the instance of each first 
encountered role instantiated on said host computer or set of host computers by traversing the 
directed acyclic graph in the direction opposite to that of the inheritance arcs on any path 
starting from the inheritor role. 

12. The method of claim 1 1 , further comprising: 



-55- 



Atty. Dkt. No.: 068398/0106 

1 22 removing a permission-inheritance arc from the directed acyclic graph between a first 

1 23 role called inheritor role and a second role called the inherited role; and 

1 24 automatically recalculating permissions and granting said permissions to the instance 

125 of each first encountered role instantiated on a host computer or set of host computers, by 

126 traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 

1 27 on any path starting from the inheritor role. 

128 13. The method of claim 1 1 , further comprising: 

1 29 revoking an abstract permission to an abstract object from a role where said abstract 

1 30 object has an instance on a host computer or set of host computers; and 

131 automatically updating the association between the said role and the set of accessible 

1 32 abstract objects; and 

1 33 automatically recalculating permissions and granting said permissions to the instance 

134 of each first encountered role instantiated on a host computer or set of host computers, by 
1135 traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 
f36 on any path starting from the said role. 

137 14. The method of claim 1 1 , further comprising 

t<38 deleting a role from the directed acyclic graph, further comprising: 

139 selecting a role for deletion from the directed acyclic graph; 

:Q.o automatically removing the said role from the access control lists of all abstract 

Mn objects accessible to said role; and 

142 automatically deleting the association between said role and all abstract objects 

143 accessible to said role; and 

1 44 automatically recalculating permissions and granting said permissions to the instance 

1 45 of each first encountered role instantiated on a host computer or set of host computers, by 

1 46 traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 

1 47 on any path starting from the any direct ascendant of the selected; and 

148 automatically deleting all instances of the selected; and 

1 49 automatically deleting the selected role from the directed acyclic graph. 

1 50 15. The method of claim 10, further comprising: 

151 creating an instance of a role on a host computer or set of host computers; and 
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1 52 automatically selecting the roles that did not have instances on said host computer or 

153 set of host computers prior to the creation of said role instance, wherein the selection is 

1 54 performed from said role and its descendant roles in the directed acyclic graph; and 

1 55 automatically computing a set of permissions by mapping the abstract permissions of 

1 56 said selected roles on all abstract objects that do have instances on said host computer or set 

1 57 of host computers; and 

1 5 s automatically granting said computed permissions to said role instance just created. 

159 16. The method of claim 10, further comprising: 

1 eo creating an instance of a user on a host computer or set of host computers; and 

1 61 automatically selecting the roles that did not have instances on said host computer or 

1 62 set of host computers prior to the creation of said user instance, wherein the selection is 

163 performed from said user and its descendant roles in the directed acyclic graph; and 

1 64 automatically computing a set of permissions by mapping the abstract permissions of 

1 65 said selected roles on all abstract objects that do have instances on said host computer or set 

166 of host computers; and 

T67 automatically granting said computed permissions to said user instance just created. 

«38 17. The method of claim 1 0, further comprising: 

vs9 granting a role an abstract permission to an abstract object that has an instance on a 

lio host computer or set of host computers and automatically causing the said role's ascendant 

1 7 1 roles and users to inherit the said abstract permission; and 

172 automatically updating the association between the said role and the set of accessible 
1 7 3 abstract obj ects ; and 

1 74 automatically mapping the said abstract permission of said role on said abstract obj ect 

175 to a set of permissions for the object instance; and 

1 76 automatically granting said set of permissions to the instance of each first encountered 

1 77 role instantiated on said host computer or set of host computers by traversing the directed 

1 78 acyclic graph in the direction opposite to that of the inheritance arcs on any path starting from 

1 79 the role being granted the abstract permission. 

1 so 18. The method of claim 1 0, further comprising: 

1 si instantiating an abstract obj ect on a host computer or set of host computers; and 
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1 82 automatically reading the access control list of the abstract object and computing the 

1 83 set of roles that have abstract permissions to the said abstract object; and 

t 84 for each role in the said set, automatically mapping the abstract permissions of said 

1 85 role on said abstract object to a set of permissions for the object instance; and 

1 86 automatically granting said set of permissions to the instance of each first encountered 

1 87 role instantiated on said host computer or set of host computers by traversing the directed 

1 88 acyclic graph in the direction opposite to that of the inheritance arcs on any path starting from 

1 89 said role. 

190 19. The method of claim 1 0, further comprising 

191 deleting an abstract object, including the steps: 

192 automatically finding and deleting all instances of said abstract object and their access 
fjj>3 control lists; and 

J§4 automatically reading the access control list of said abstract object and, for each role 

%b found in the said access control list, removing the said abstract object from the association 

SS6 between said role and its set of accessible abstract objects; and 
jp7 automatically deleting the said abstract object and its access control list. 

%q 20. The method of claim 10, further comprising: 

i^gg deriving a directed acyclic graph of roles representing both membership and 

;ipo permission inheritance, abstract objects, and abstract permissions, from the user account, 

Izbi group, and access control list and permission structures of extant operating systems; and 

202 performing the incremental transition from an extant permission management system 

203 to automatic permission management in RBAC. 

204 21 . The method of claim 20, further comprising: 

205 deriving membership-inheritance and permission-inheritance relationships among the 

206 existing user accounts and groups; and 

207 creating roles and assigning selected user accounts and groups to said roles; and 

208 deriving membership-inheritance and permission-inheritance relationships among said 

209 roles and obtaining a directed acyclic graph for each type of inheritance relationship; and 

210 transforming the said directed acyclic graphs into a single directed acyclic graph of 

21 1 membership inheritance that preserves the permission of the user accounts defined by 

2 1 2 permission inheritance. 
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213 22. A computer program product containing computer readable code for causing a 

214 machine to perform the following method steps: 

21 5 automatic distribution, review and revocation of user and group permissions to objects 

21 6 through management of role permissions to abstract objects in a computing environment 

217 comprises a role-based access control system that includes a directed acyclic graph 

218 representing role-membership inheritance relationships and a directed acyclic graph 

2 1 9 representing role-permission inheritance relationships ; 

220 association of each role with the set of abstract objects accessible to the said role, said 

221 association requiring neither redundant storage and maintenance of permissions nor 

222 exhaustive system searches. 

223 23. A program product as defined in claim 22, further comprising code for performing the 

224 following method steps: 

255 defining and managing the abstract permissions of a role on abstract objects; 

226 finding, retrieving, and displaying abstract permissions of a role on abstract objects; 

227 adding an abstract object to the set of abstract objects associated with a role 

228 whenever said abstract object becomes accessible to said role; and 

229 deleting an abstract object from the set of abstract objects associated with a role 

230 whenever said abstract object becomes inaccessible to said role. 

25 1 24. A program product as defined in claim 23, further comprising code for performing the 

232 following method steps: 

233 creating, finding, retrieving, displaying, and deleting instances of a role on a host 

234 computer or set of host computers, using group nesting and a directed acyclic graph of role- 

235 membership inheritance; 

236 creating finding, retrieving, displaying, and deleting object instances of abstract 

237 objects on a host computer or set of host computers; 

238 registering objects as instances of abstract objects on a host computer or set of host 

239 computers; 

240 deriving permissions of a role instance on object instances from the abstract 

241 permissions of said role on said abstract objects; 

242 registering permissions on objects as instances of abstract permissions on abstract 

243 objects on a host computer or set of host computers; and 
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244 finding, retrieving, and displaying the permissions derived from abstract permissions 

245 defined on abstract objects. 

246 25. A program product as defined in claim 24, further comprising code for performing the 

247 following method steps: 

248 creating an instance of a RBAC user on a set of host computers, said user instance 

249 being called global with respect to said set of host computers; 

250 creating an instance of a RBAC user on a host computer, said user instance being 

251 called local with respect to said host computer, unless said host computer is used to control a 

252 set of host computers, in which case the instance is called global with respect to said set of 

253 host computers; 

254 creating a role instance on a set of host computers, said role instance being called 
5 255 global with respect to said set of host computers; 

'256 creating a role instance on a host computer, said role instance being called local with 

1257 respect to said host computer, unless said host computer is used to control a set of host 

=7258 computers, in which case one can select whether the instance will be local with respect to 

+259 said host computer, or global with respect to said set of host computers; 
260 including a local user instance in a local role instance, if said user is assigned to said 

\261 role, and both said instances were derived on the same host computer; 

fi262 including a global user instance in a local role instance, if said user is assigned to said 

'^63 role, and said local role instance was derived on a host computer included in the set of host 

264 computers used to derive said global user instance; 

265 including the global user instance in a global role instance, if said user is assigned to 

266 said role, and both said instances were derived on the same set of host computers; 

267 including the members of a local instance of a first role in a local instance of a second 

268 role, if the second role inherits the membership of the first role, and both said instances were 

269 derived on the same host computer; 

270 including the global instance of a first role as a member of a local instance of a second 

271 role, if the second role inherits the membership of the first role, and said local instance was 

272 derived on a host computer included in the set of host computers used to derive said global 

273 instance; and 
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274 including the members of a global instance of a first role in a global instance of a 

275 second role, if the second role inherits the membership of the first role, and both said 

276 instances were derived on the same set of host computers. 

277 26. A program product as defined in claim 24, further comprising code for performing the 

278 following method steps: 

279 computing, displaying, reviewing, and listing the permissions of any role to abstract 

280 objects; and 

281 computing, displaying, reviewing, and listing the permissions of any role to object 

282 instances; and 

283 computing, displaying, reviewing, and listing the permissions of any role instance to 

284 object instances. 

285 27. A program product as defined in claim 26, further comprising code for performing the 

286 following method steps: 

j287 determining whether two or more roles share permissions on any abstract objects; and 

2S8 determining whether two or more roles share permissions on any object instances; and 

289 determining whether two or more role instances share permissions on any object 

230 instances; and 

291 implementing and testing any policy that is satisfied by the determination of whether 

292 two or more roles share permissions to abstract objects; and 

2 93 implementing and testing any policy that is satisfied by the determination of whether 

294 two or more roles share permissions to object instances; and 

295 implementing and testing any policy that is satisfied by the determination of whether 

296 two or more role instances share permissions to object instances. 

297 28 . A program product as defined in claim 27, further comprising code for performing the 

298 following method steps: 

299 implementing and testing generalized separation-of-duty policies; and 

300 implementing and testing operational separation-of-duty policies. 

301 29. A program product as defined in claim 24, further comprising code for performing the 

302 following method steps: 

303 automatic distribution of permissions on object instances to role instances whenever 

304 new permission-inheritance relations are established among roles; and 
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305 automatic distribution of permissions on obj ect instances to role instances whenever 

306 new roles are added to the directed acyclic graph; and 
automatic distribution of permissions on object instances to role instances whenever a 

new role instance is created for a role on a host computer or set of host computers; and 

automatic distribution of permissions on object instances to role instances whenever a 
new object instance is created for an abstract object on a host computer or set of host 
computers; and 

for automatic distribution of permissions on object instances to role instances 
whenever a new permission is granted to a role. 



307 
308 
309 
310 



312 
313 



314 30. A program product as defined in claim 24, further comprising code for performing the 

31 5 method steps of: 

3 1 6 automatic revocation and recalculation of permissions on obj ect instances for role 

317 instances whenever permission-inheritance relations among roles are removed; and 

31 8 automatic revocation and recalculation of permissions on obj ect instances for role 
3,1 9 instances whenever roles are removed; and 

3-20 automatic revocation and recalculation of permissions on obj ect instances for roles 

321 instances whenever an abstract object is removed; and 

322 automatic revocation and recalculation of permissions on obj ect instances for role 

323 instances whenever a permission is revoked from a role. 

324 31. A program product as defined in claim 24, further comprising code for performing the 

325 method step of: 

32s scaleable, automatic, distribution, revocation, and recalculation of permissions of role 

327 instances to object instances that support efficient access authorization. 

328 32. A program product as defined in claim 31, further comprising code for performing the 

329 method steps of: 

330 adding a new permission-inheritance arc to the directed acyclic graph between a first 

331 role called inheritor role and a second role called the inherited role whereby the inheritor and 

332 all its ascendant roles inherit all the permissions of the inherited role and its descendant roles 

333 in the directed acyclic graph; and 
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334 automatically selecting the roles that do not have instances on a host computer or set 

335 of host computers from the set comprises the said inherited role and its descendants in the 

336 directed acyclic graph; and 

337 automatically computing a set of permissions by mapping the abstract permissions of 

338 said selected roles on all abstract objects that do have instances on said host computer or set 

339 of host computers; and 

340 automatically granting said computed permissions to the instance of each first 

34 1 encountered role instantiated on said host computer or set of host computers by traversing the 

342 directed acyclic graph in the direction opposite to that of the inheritance arcs on any path 

343 starting from the inheritor role. 

344 33. A program product as defined in claim 32, further comprising code for performing the 
method steps of: 

346 removing a permission-inheritance arc from the directed acyclic graph between a first 

347 role called inheritor role and a second role called the inherited role; and 

lis automatically recalculating permissions and granting said permissions to the instance 

M9 of each first encountered role instantiated on a host computer or set of host computers, by 

%§o traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 

m i on any path starting from the inheritor role. 

%2 34. A program product as defined in claim 32, further comprising code for performing the 

l3%3 method steps of: 

354 revoking an abstract permission to an abstract object from a role where said abstract 

355 object has an instance on a host computer or set of host computers; and 

356 automatically updating the association between the said role and the set of accessible 

357 abstract objects; and 

358 automatically recalculating permissions and granting said permissions to the instance 

359 of each first encountered role instantiated on a host computer or set of host computers, by 

360 traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 

361 on any path starting from the said role. 

362 35. A program product as defined in claim 32, further comprising code for performing the 

363 method steps of 

364 deleting a role from the directed acyclic graph, further comprising: 
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365 selecting a role for deletion from the directed acyclic graph; 

366 automatically removing the said role from the access control lists of all abstract 

367 objects accessible to said role; and 

368 automatically deleting the association between said role and all abstract objects 

369 accessible to said role; and 

370 automatically recalculating permissions and granting said permissions to the instance 

371 of each first encountered role instantiated on a host computer or set of host computers, by 

372 traversing the directed acyclic graph in the direction opposite to that of the inheritance arcs 

373 on any path starting from the any direct ascendant of the selected; and 

374 automatically deleting all instances of the selected; and 

375 automatically deleting the selected role from the directed acyclic graph. 

376 36. A program product as defined in claim 3 1 , further comprising code for performing the 

377 method steps of: 

3j8 creating an instance of a role on a host computer or set of host computers; and 

3>9 automatically selecting the roles that did not have instances on said host computer or 

380 set of host computers prior to the creation of said role instance, wherein the selection is 

381 performed from said role and its descendant roles in the directed acyclic graph; and 

3~ 82 automatically computing a set of permissions by mapping the abstract permissions of 

383 said selected roles on all abstract objects that do have instances on said host computer or set 

384 of host computers; and 

385 automatically granting said computed permissions to said role instance just created. 

386 37 . A program product as defined in claim 3 1 , further comprising code for performing the 

387 method steps of: 

388 creating an instance of a user on a host computer or set of host computers; and 

389 automatically selecting the roles that did not have instances on said host computer or 

390 set of host computers prior to the creation of said user instance, wherein the selection is 

391 performed from said user and its descendant roles in the directed acyclic graph; and 

392 automatically computing a set of permissions by mapping the abstract permissions of 

393 said selected roles on all abstract objects that do have instances on said host computer or set 

394 of host computers; and 

3 g 5 automatically granting said computed permissions to said user instance just created. 

-64- 



002.590578.1 



Atty. Dkt. No.: 068398/0106 

396 38. A program product as defined in claim 31, further comprising code for performing the 

397 method steps of: 

398 granting a role an abstract permission to an abstract object that has an instance on a 

399 host computer or set of host computers and automatically causing the said role's ascendant 

400 roles and users to inherit the said abstract permission; and 

401 automatically updating the association between the said role and the set of accessible 

402 abstract objects; and 

403 automatically mapping the said abstract permission of said role on said abstract object 

404 to a set of permissions for the object instance; and 

405 automatically granting said set of permissions to the instance of each first encountered 

406 role instantiated on said host computer or set of host computers by traversing the directed 

407 acyclic graph in the direction opposite to that of the inheritance arcs on any path starting from 
4t>8 the role being granted the abstract permission. 

409 39. A program product as defined in claim 3 1 , further comprising code for performing the 

41 o method steps of: 

43 1 instantiating an abstract object on a host computer or set of host computers; and 

41 2 automatically reading the access control list of the abstract object and computing the 

m 3 set of roles that have abstract permissions to the said abstract object; and 
% 4 for each role in the said set, automatically mapping the abstract permissions of said 



41 5 role on said abstract object to a set of permissions for the object instance; and 

41 6 automatically granting said set of permissions to the instance of each first encountered role 

41 7 instantiated on said host computer or set of host computers by traversing the directed acyclic 

41 8 graph in the direction opposite to that of the inheritance arcs on any path starting from said 

419 role. 



420 40. A program product as defined in claim 3 1 , further comprising code for performing the 

421 method steps of 

422 deleting an abstract object, further comprising code for: 

423 automatically finding and deleting all instances of said abstract object and their access 

424 control lists; and 

425 automatically reading the access control list of said abstract object and, for each role 

426 found in the said access control list, removing the said abstract object from the association 

427 between said role and its set of accessible abstract objects; and 
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428 automatically deleting the said abstract object and its access control list. 

429 41. A program product as defined in claim 3 1 , further comprising code for performing the 

430 method steps of: 

431 deriving a directed acyclic graph of roles representing both membership and permission 

432 inheritance, abstract objects, and abstract permissions, from the user account, group, and 

433 access control list and permission structures of extant operating systems; and 

434 performing the incremental transition from an extant permission management system 

435 to automatic permission management in RBAC. 

436 42. A program product as defined in claim 3 1 , further comprising code for performing the 

437 method steps of: 

r 4;38 deriving membership-inheritance and permission-inheritance relationships among the 

: J39 existing user accounts and groups; and 

!:i40 creating roles and assigning selected user accounts and groups to said roles; and 

H4i deriving membership-inheritance and permission-inheritance relationships among said 

^42 roles and obtaining a directed acyclic graph for each type of inheritance relationship; and 
443 transforming the said directed acyclic graphs into a single directed acyclic graph of 

3-44 membership inheritance that preserves the permission of the user accounts defined by 

'445 permission inheritance. 
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